CVE-2025-64328
Published: February 3, 2026
Official Description
Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.
CISA KEV Advisory
Sangoma FreePBX OS Command Injection Vulnerability
Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Risk Analysis
Sangoma FreePBX Endpoint Manager contains an OS command injection vulnerability that allows a post-authentication command injection by an authenticated user. The high CVSS score, EPSS score, and confirmed exploitation indicate this is a severe vulnerability that is actively being targeted for remote access.
This vulnerability is actively exploited in the wild and is listed in CISA's KEV catalog. While it requires prior authentication, its remote exploitability and potential for remote access as an asterisk user make it a significant threat.
Apply available patches for Sangoma FreePBX Endpoint Manager to address this OS command injection vulnerability. Implement strong authentication and regularly audit user accounts and permissions to prevent unauthorized access.
Technical Analysis
CVE-2025-64328 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires high privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.2.
CISA has added CVE-2025-64328 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (2)
Quick Facts
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-64328 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1